More than a year after the Transportation Security Administration launched the Transportation Worker Identification Credential (TWIC) program, the market continues to wonder how and when it will fully leverage the biometric data contained inside these TWIC credentials.
TWIC cards are smart cards rich with security features and contain a dual interface integrated circuit chips, a magnetic stripe, and a linear bar code. Yet many of these cards today are only being used as a mere "flash pass." They are visually inspected to see if the photo matches the card holder and to determine if the card itself is authentic before permitting card holders access to highly secure properties and vessels regulated by the Maritime Transportation Security Act.
The reason that many of these TWIC cards have continued to be used as flash passes is that the TSA has yet to begin Phase Two of the TWIC program, where it may mandate that facilities use biometric readers to verify that the electronic biometric information stored within the TWIC matches that of the cardholder.
It's true that much of the market continues to use the TWIC card as a very basic form of identification and the reasons for this are simple. First, facilities don't know that grant money is available through the Department of Homeland Security to fund the purchase and implementation of biometric readers as part of the TWIC program. Second, facilities continue to wait for the TSA to issue a ruling about biometric reader technology to identify approved mobile and fixed reader devices.
Verifying TWIC: It can be done
Today, the TSA continues to test various biometric card reader technologies, but has not announced any formal mandates, a timeline for implementation or specific funding details. But it's a misnomer to think that no one is using the TWIC card beyond its flash pass status.
In fact, there are several forward-thinking organizations that have recently taken the initiative and implemented a TWIC credential validation program, enabling them to truly access the data and high security features inside these cards.
The Port of Wilmington, Delaware; The Jacksonville Port Authority and Marathon Oil are a few examples of facilities that implemented a TWIC credential validating program. These organizations, which operate ports and a petrochemical facility, are governed by the Maritime Transportation Security Act due to their location on our waterways, and could have waited for the TSA to make its decision regarding biometric card reading technology. Instead the organizations decided to take full advantage of the TWIC cards by deploying software that can read, validate, authenticate and register the TWIC card into their PACS database, and then continue to re-validate the TWIC by daily checking of the TSA hotlist Some locations also deployed fixed biometric TWIC readers at exterior gates.
The benefits to these facilities are vast because they can verify the validity of the TWIC card, check the card holder against the TSA hotlist, and revoke access privileges in real-time. Verifying TWICs before the final ruling also ensures that cardholders have been issued working credentials which otherwise may never be used until the final rule goes into effect.
When a facility uses a TWIC card merely as a flash pass, there's no sure way to know if it's a cloned or forged card, because the security features which reside inside the TWIC cannot be accessed without presenting the card to a card reader. This may lead to a potential for black market cards that are made to look like TWIC cards but are instead fake versions of the real credentials.
Checking the list
An important component directly linked to verifying TWIC cards is the TSA hotlist, a real-time database of revoked TWIC credentials. A TWIC can be revoked for a variety reasons, including certain criminal activities, such as murder, treason, espionage, or a Transportation Security incident, for example. However, most of the TWICs on the hotlist have been revoked because the cardholder lost his card or the TWIC itself needed to be replaced for some reason. This database of revoked cards is updated on a daily basis. Organizations that are proactively checking the TSA hotlist have been able to identify TWIC cardholders who should not be given access to secure areas.